VDB

GCVE-110-OSM-2026-5893

GCVE-110-OSM-2026-5893
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
This package is a trojanized clone of the legitimate `base-x` library (cryptocoinjs/base-x). The `decode` function has been backdoored to silently POST every decoded string to a hardcoded Telegram bot (`7775457351:AAEM92rF8YltwV5EOvWsOPIfXMInbA5ltcA`, chat `-1002382353252`) via `api.telegram.org/bot.../sendMessage` on every invocation. Since `base-x` is commonly used for base58/cryptocurrency address decoding, this backdoor is specifically positioned to exfiltrate private keys, seeds, wallet addresses, or any other sensitive data passed through the decode function. The publisher `kryptodev` also maintains `base58-ts` and `tgnode`, suggesting a deliberate campaign targeting crypto-related packages with Telegram-based C2 infrastructure. ENTRY src/cjs/index.cjs (main: src/cjs/index.cjs) DESTINATION - reconstructed: https://api.telegram.org/bot7775457351:AAEM92rF8YltwV5EOvWsOPIfXMInbA5ltcA/sendMessage (primary, reconstructed) in src/cjs/index.cjs - telegram-bot: 7775457351:AAEM92rF8YltwV5EOvWsOPIfXMInbA5ltcA (plaintext) in src/cjs/index.cjs - telegram-bot: api.telegram.org/bot${token}/sendMessage`; (plaintext) in src/cjs/index.cjs - domains: api.telegram.org (c2, plaintext) OBFUSCATION - recovered 2 urls, 1 domains from decoded/deobfuscated content ADDITIONAL FINDINGS - Reconstructed Obfuscated URL in src/cjs/index.cjs: "https://api.telegram.org/bot7775457351:AAEM92rF8YltwV5EOvWsOPIfXMInbA5ltcA/sendM..." PAYLOAD FILES src/cjs/index.cjs (+ src/esm/index.js) INDICATORS (IOCs) - domains: cdn.rawgit.com - payloadFileHash: bdae45316dd613061618ecabde06f5011dfcdaf8514205773dc351b2cf0b5a64

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownbase-x-ts5.0.4 (affected)

References

vendor

Browse GCVE Records

72,409 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›